Detecting impersonation on a social network

ABSTRACT

In one implementation, a method includes receiving a claim that identifies a first user profile page as allegedly impersonating a second user profile page on a social network, and retrieving first information associated with the first user profile page and second information associated with the second user profile page. The method can also include comparing the first information and the second information to identify indicators of impersonation. The method can further include, based upon the identified indicators of impersonation, determining that the first user profile page is likely impersonating the second user profile page on the social network, wherein first user profile page is determined to be likely impersonating the second user profile page when the first and second user profile pages are determined to be similar to each other; and returning a flag indicating that the first user profile page is likely impersonating the second user profile page.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is a continuation of and claims priority under 35U.S.C. §120 to U.S. application Ser. No. 12/495,099, filed on Jun. 30,2009, the entire contents of which are hereby incorporated by reference.

TECHNICAL FIELD

This document generally describes techniques, methods, systems, andmechanisms for identifying impersonation of a user profile page on asocial network.

BACKGROUND

A social network can be an online system that provides a forum forgeographically separated users to interact with one another. Socialnetworks can be aimed at different types of social interaction, such asfriendship and business networking. A user of a social network can havea profile page (e.g., a web page on the social network) that providesinformation about the user to other users of the social network. Aprofile can include information regarding a user's acquaintancerelationships (e.g., friends, colleagues, schoolmates, etc.) on thesocial network.

A user can impersonate (e.g., assume the identity of another) anotheruser on a social network by creating a profile page that containscontent identifying the impersonated user (e.g., the victim ofimpersonation). For example, a first user can impersonate a second useron a social network by creating a profile page that contains identifyinginformation about the second user, such as the second user's name, age,location, occupation, and photograph. An impersonating profile page maycopy some or all of the impersonating content from the victim's profilepage. Impersonation may be performed for a variety of reasons, such asmalice toward the victim (e.g., impersonator has intent to defame thevictim), and/or intent to usurp the victim's influence on a socialnetwork (e.g., impersonator able to garner the victim's reputation whenrecommending a product to the victim's friends).

Detecting impersonation on a social network has included manual reviewof an alleged impersonator's profile page and, in some cases, review ofan alleged victim's profile page by a human.

SUMMARY

This document describes techniques, methods, systems, and mechanisms fordetecting impersonation of a user's profile page on a social network. Ingeneral, impersonation can be detected by comparing elements (e.g.,fields, photos, metadata, etc.) of a profile page of an allegedimpersonator with elements of a profile page of an alleged victim. Sucha comparison can yield signals indicating that the profile page of thealleged impersonator is likely impersonating the profile page of thealleged victim. Based upon detected signals indicating impersonation, adetermination can be made as to a likelihood that the profile page ofthe alleged impersonator is impersonating the profile page of thealleged victim.

In one implementation, a computer-implemented method includes receivingat a server system a claim that identifies a first user profile page ona social network as allegedly impersonating a second user profile pageon the social network, and retrieving by the server system firstinformation associated with the first user profile page and secondinformation associated with the second user profile page. The method canalso include comparing by the server system the first information andthe second information to identify indicators of impersonation, whereincomparing the first information and the second information to identifyindicators of impersonation comprises identifying similarities ofelements on the first user profile page and corresponding elements onthe second user profile page. The method can further include, based uponthe identified indicators of impersonation, determining that the firstuser profile page is likely impersonating the second user profile pageon the social network, wherein first user profile page is determined tobe likely impersonating the second user profile page when the first andsecond user profile pages are determined to be similar to each other;and returning by the server system a flag indicating that the first userprofile page is likely impersonating the second user profile page.

In another implementation, a system for identifying impersonation of auser profile page on a social network includes one or more servers, andan interface to the one or more servers to receive a claim thatidentifies a first user profile page on a social network as allegedlyimpersonating a second user profile page on the social network and toreturn a flag indicating that the first user profile page is likelyimpersonating the second user profile page. The system can also includea user profile retrieving component to retrieve first informationassociated with the first user profile page and second informationassociated with the second user profile page, and a comparison module tocompare the first information and the second information to identifyindicators of impersonation, wherein comparing the first information andthe second information to identify indicators of impersonation comprisesidentifying similarities of elements on the first user profile page andcorresponding elements on the second user profile page. The system canfurther include an impersonation analysis component to determine thatthe first user profile page is likely impersonating the second userprofile page on the social network based upon the identified indicatorsof impersonation.

In another implementation, a system for identifying impersonation of auser profile page on a social network includes one or more servers, andan interface to the one or more servers to receive a claim thatidentifies a first user profile page on a social network as allegedlyimpersonating a second user profile page on the social network and toreturn a flag indicating that the first user profile page is likelyimpersonating the second user profile page. The system can also includea user profile retrieving component to retrieve first informationassociated with the first user profile page and second informationassociated with the second user profile page, and means for comparingthe first information and the second information to identify indicatorsof impersonation, wherein comparing the first information and the secondinformation to identify indicators of impersonation comprisesidentifying similarities of elements on the first user profile page andcorresponding elements on the second user profile page. The system canfurther include an impersonation analysis component to determine thatthe first user profile page is likely impersonating the second userprofile page on the social network based upon the identified indicatorsof impersonation, wherein first user profile page is determined to belikely impersonating the second user profile page when the first andsecond user profile pages are determined to be similar to each other.

Particular embodiments can be implemented to realize one or more of thefollowing advantages. For instance, greater efficiency can be gainedwith respect to detecting impersonation on a social network. Instead ofmanually detecting impersonation, a variety of automated techniques canbe used to more quickly and more efficiently handle claims ofimpersonation. The automated techniques provide a scalable solution to afluctuating volume of claims of impersonation that can be produced by alarge user-base. Additionally, the automated techniques enable morecomplex and thorough comparisons that may not be efficiently performedmanually.

The details of one or more embodiments are set forth in the accompanyingdrawings and the description below. Other features, objects, andadvantages of the invention will be apparent from the description anddrawings, and from the claims.

DESCRIPTION OF DRAWINGS

FIG. 1 is a conceptual diagram of an example system for detectingimpersonation of a user profile page on a social network.

FIG. 2 is a diagram of another example system for detectingimpersonation of a user profile page on a social network.

FIGS. 3A-B are flowcharts depicting example processes for detectingimpersonation of a user profile page on a social network.

FIG. 4 is a timeline of an example process for detecting impersonationof a user profile page on a social network.

FIG. 5 is a block diagram of computing devices that may be used toimplement the systems and methods described in this document, as eithera client or as a server or plurality of servers.

Like reference symbols in the various drawings indicate like elements.

DETAILED DESCRIPTION

This document generally describes detecting impersonation on a socialnetwork. More specifically, the document describes methods, systems, andmechanisms for automating detection of user profile impersonation on asocial network by analyzing and comparing a profile of an allegedimpersonator (a user alleged to be impersonating the profile of anotheruser of the social network) and/or a profile of an alleged victim (auser alleging impersonation).

A profile for a user on a social network can include a variety ofdetails regarding the identity of the user. For instance, a user'sprofile can include identifying information such as the user's name,location (e.g., country, city, neighborhood, etc.), contact information(e.g., email address, phone number, etc.), occupation, employer,educational institutions attended, acquaintance relationships (e.g.,friends, colleagues, family, etc.), interests (e.g., sports, music,outdoors, etc.), photographs and videos of the user, etc.

A user (an impersonator) can impersonate the identity of another user (avictim) on a social network by creating a profile that has some or allof the identifying details contained in the victim's profile. Forinstance, a first user may impersonate a second user on a social networkby creating a new profile and populating fields (e.g., name, location,occupation, etc.) of new profile with copied text (e.g., name, location,occupation, etc.) and photographs from the second user's profile.Additionally, the second user may attempt to create acquaintancerelationships (e.g., send friend requests) with the same users that thefirst user has acquaintance relationships with.

When two users have similar profiles, it can be difficult to determinewhether impersonation is taking place and, if so, which user's profileis the impersonator and which user's profile is being impersonated.

To automate detection of impersonation between the profiles of two users(an alleged impersonator and an alleged victim), analysis and comparisonof the two profiles can be performed. Analysis can include determiningan extent to which the profile of the alleged impersonator containsindicators of impersonation. A variety of profile characteristics canserve as indicators of impersonation, such as little to no activity(e.g., interaction with other users of the social network, profileupdates, etc.) since the profile was initially created, membership incertain groups (e.g., deleted groups, flagged groups, etc.) on thesocial network, content defaming the user purported to be associatedwith the profile, flagging of the profile by other users of the socialnetwork, the presence of pornographic content, etc.

For example, analysis of a first profile of the alleged impersonatorthat has had no activity (e.g., the user has not signed-on to the socialnetwork) since creation of the profile and that contains negativeremarks (e.g., “I am stupid”) regarding the associated user may indicateimpersonation by the first profile. Conversely, analysis of a secondprofile of the alleged impersonator that has had regular and frequentactivity (e.g., profile updates, friend additions, etc.) since creationand that contains no defamatory or pornographic content may indicateagainst impersonation by the second profile.

As described above, detecting impersonation can also include comparing aprofile of an alleged impersonator and a profile of an alleged victim.The two profiles can be compared to identify indicators of impersonationas well as indicators that impersonation is not taking place.Impersonation can be indicated by a variety of similarities between thetwo profiles. For instance, impersonation can be indicated by the twoprofiles containing similar fields (e.g., name, location, occupation,age, etc.), similar photographs, similar community memberships, similaracquaintance relationships, etc. Impersonation by the allegedimpersonator can additionally be indicated by similar content (e.g.,fields, photographs, etc.) on the alleged impersonator's profilepostdating the similar content on the profile for the alleged victim(e.g., the same name field was added to the alleged impersonator'sprofile after it was added to the profile page of the alleged victim).Postdating can indicate that the content possibly originated in theprofile of the alleged victim and that it was copied by the allegedimpersonator.

Some similarities between the profiles of the alleged impersonator andthe alleged victim can more strongly indicate impersonation than othersimilarities. For instance, the two profiles sharing sensitive personalinformation, such as contact information (e.g., phone number, address,etc.), can more strongly indicate impersonation than the two profilessharing interests (e.g., sports, music, etc.).

Impersonation not taking place between the two profiles can be indicatedin a variety of ways, such as by dissimilarity between content of thetwo profiles (e.g., the two profiles have different names), similarcontent contained in the alleged impersonator's profile that predatesthe similar content on the profile of the alleged victim (e.g., the samename field was added to the alleged impersonator's profile before theprofile of the alleged victim), the alleged impersonator having moreacquaintance relationships than the alleged victim, the allegedimpersonator having an acquaintance relationship with the allegedvictim, etc. The strength of such indications against impersonation canvary. For example, a photograph on the alleged impersonator's profilethat predates the same photograph on the alleged victim's profile canmore strongly indicate impersonation is not taking place than the twoprofiles having different interests.

Impersonation can be detected by evaluating the indicators ofimpersonation and the indicators that impersonation is not taking placeas determined from analyzing and comparing the profiles of the allegedimpersonator and the alleged victim. Various models and thresholds canbe used to determine, from these indicators, likelihood of impersonation(e.g., impersonation is certain, impersonation probable, notimpersonation taking place, etc.). In various implementations, theseindicators are quantified (e.g., 10 points for the two profiles havingthe same name, 2 points for the profiles having the same interest, etc.)and can be combined to form a match score for the two profiles. Such amatch score can indicate a likelihood of impersonation.

Based upon the determined likelihood of impersonation, a variety ofactions can be taken with regard to the profile of the allegedimpersonator. For instance, the profile of the alleged impersonator canbe deleted from the social network if impersonation is certain. Inanother example, the profile of the alleged impersonator can be flaggedfor human review if impersonation is probable (e.g., the allegedimpersonator's profile has some similarities as well as somedissimilarities with respect to the profile of the alleged victim). In afurther example, the profile of the alleged impersonator can remain onthe social network without further review if impersonation is notlikely.

FIG. 1 is a conceptual diagram of an example system 100 for detectingimpersonation of a user profile page on a social network. FIG. 1 showsan impersonation server 102 that determines a likelihood that an allegedvictim's profile page 104 is being impersonated by an allegedimpersonator's profile page 106. Similar to the description above, theimpersonation server 102 can detect impersonation by identifying signals(e.g., indicators) of impersonation 108 based on the alleged victim'sprofile page 104 and/or the alleged impersonator's profile page 106.From the identified signals of impersonation 108, the impersonationserver 102 can provide an output 110 (e.g., a flag, a message, adisplay, etc.) regarding a likelihood of impersonation (e.g.,impersonation is highly likely, impersonation is likely but not certain,impersonation is unlikely, etc.) between the profile pages 104 and 106.

The profile page 104 and the profile page 106 are example pages of asocial network (e.g., FACEBOOK, ORKUT, MYSPACE, LINKEDIN, etc.) relatingto the alleged victim (e.g., a user alleging impersonation of itsprofile page) and the alleged impersonator (e.g., the user alleged to beimpersonating the victim's profile page 104), respectively. A socialnetwork can have a multitude of users. A user of a social network canhave a profile page that contains content regarding the user, such asthe user's name, location, interests, background, etc. At least some ofthe content contained in a profile page can identify a user to otherusers of the social network. For instance, members of a high schoolclass can locate each other on a social network based on the members'profile pages containing information regarding their high school andyear of graduation.

The profile pages 104 and 106 are presented for illustrative purposesand contain example content 112 a-g and 114 a-g, respectively. Dependingon the social network, the content contained in a profile page can vary.For instance, a first user of a business oriented social network (e.g.,LINKEDIN) a may list work history in its profile page, whereas a seconduser of a friendship oriented social network (e.g., MYSPACE) may listmusical interests in its profile page

The alleged victim's profile page 104 includes a name field 112 a (“JohnDoe”), a photograph 112 b, a location field 112 c (Seattle), an agefield 112 d (30), an occupation field 112 e (engineer), a list ofschools attended 112 f (State University, 2002; Central High, 1998), anda list of friends 112 g (Alice, Bob, Carl, Dwight, and Eve) on thesocial network. The alleged impersonator's profile page 106 contains thesame fields with virtually identical content: a name field 114 a (“JohnDoe”), a photograph 114 b, a location field 114 c (Seattle), an agefield 114 d (30), an occupation field 114 e (engineer), a list ofschools attended 114 f (State University, 2002; Central High, 1998), anda list of friends 114 g (Alice, Bob, and Carl) on the social network.

Impersonation of a user's profile page can create confusion on a socialnetwork as to which profile page actually corresponds to the user thatis depicted. For instance, a user of the social network trying toidentify a profile page belonging to the “John Doe” will likely havedifficulty determining which of the two profile pages 104 and 106 isauthentic (e.g., not impersonating another user).

The impersonation server 102 receives the profile page 104 of thealleged victim and the profile page 106 of the alleged impersonator (oridentifiers corresponding to the profile pages 104 and 106). Theimpersonation server 102 can receive the profile pages 104 and 106 froma variety of sources. For example, the impersonation server 102 mayreceive the profile pages 104 and 106 from a user alleging impersonation(e.g., the alleged victim entered the profile pages 104 and 106 into auser interface). In another example, the impersonation server 102 mayreceive the profile pages 104 and 106 from a routine running on thesocial network that identifies similar profile pages for review by theimpersonation server 102.

Upon receiving the profile pages 104 and 106, the impersonation server102 can begin to determine the likelihood that the profile page 106 isimpersonating the profile page 104 of the alleged victim. As describedabove, the impersonations server 102 can make such a determination bydetecting signals of impersonation 108 (e.g., detect indicators ofimpersonation). A signal of impersonation can indicate that, based uponthe signal being detected, impersonation is more likely than not. Forexample, the profile page 106 of the alleged impersonator having content114 a-f that is identical to content 112 a-f of the profile page 104 ofthe alleged victim can be signal of impersonation—it is more likely thannot that the profile page 106 is impersonating the profile page 104based upon these similarities.

Signals (indicators) of impersonation can be detected by comparing theprofile page 104 of the alleged victim with the profile page 106 of thealleged impersonator. Signals of impersonation can also be detected byanalyzing the profile page 104 of the alleged victim and/or the profilepage 106 of the alleged impersonator. Strengths by which signalsindicate impersonation can vary. For instance, two profile pages sharingthe same name is likely a stronger indicator of impersonation than thetwo profile pages sharing the same interest.

Signals (indicators) contrary to impersonation can also be detected bythe impersonation server 102. A signal contrary to impersonation canindicate that, based on the signal being detected, it is more likelythan not that no impersonation is taking place. For example, were thealleged impersonator's profile page 104 to be older than (created on thesocial network before) the alleged victim's profile page 106, then asignal contrary to impersonation can be detected—it is more likely thannot that no impersonation is taking place based on the allegedimpersonator's profile page 104 predating the alleged victim's profilepage.

Table 116 depicts some example signals (indicators) of impersonation andcontrary to impersonation that can be detected by the impersonationserver 102 from the profile pages 104 and 106. Column 118 a contains theexample signals 120 a-j (indicators) that are detected by theimpersonation server 102. Columns 118 b and 118 d contain content fromthe alleged victim's profile page 104 and the alleged impersonator'sprofile page 106, respectively, that are used to detect each of thesignals 102 a-j. Columns 118 c and 118 e list timestamps (e.g., arecorded time) associated with the content contained in columns 118 band 118 d, respectively, which can be used by the impersonation server102 to detect the signals 120 a-j. Column 118 f contains determinationsmade by the impersonation server 102 as to whether each of the signals120 a-j is an indicator of impersonation (denoted with a ‘+’), is anindicator contrary to impersonation (denoted with a ‘−’), or is neutralas to impersonation.

A variety of signals are depicted in the table 116. For signals 120 a-b,120 c, and 120 g, the impersonation server 102 compares a field from theprofile 104 of the alleged victim with a field from the profile 106 ofthe alleged impersonator to detect similarities. Based on detected fieldsimilarities (or dissimilarities) from these comparisons, theimpersonation server 102 determines whether impersonation is indicated.Similarity can be correlated with a likelihood of impersonation—agreater degree of similarity between the two profile pages cancorrespond to a higher likelihood of impersonation by the allegedimpersonator.

As demonstrated by the ‘+’ for the signal 120 a, impersonation isindicated by the alleged impersonator having the same name field (112 aand 114 a) as the alleged victim. As demonstrated by the ‘+’ for thesignal 120 b, impersonation is indicated by the alleged impersonatorhaving the same location field (112 c and 114 c) as the alleged victim.As demonstrated by the ‘+’ for the signal 120 d, impersonation isindicated by the alleged impersonator having the same photo (112 b and114 b) as the alleged victim. As demonstrated by the ‘+’ for the signal120 g, impersonation is indicated by the alleged impersonator having thesame associated email address as the alleged victim. As exemplified bycomparison of the email address, fields that are associated with but notdisplayed on the profile pages 104 and 106 can be compared to identifyimpersonation.

For the signals 120 a-b, 120 c, and 120 g, the impersonation server 102may also consider timestamp information for the compared content. Forinstance, if similar content originated on (e.g., was added to) thealleged victim's profile page before it appeared on the allegedimpersonator's profile page, then the impersonation server 102 maydetermine that impersonation is more likely than not. Conversely, ifsimilar content originated on the alleged impersonator's profile pagebefore appearing on the alleged victim's profile page, then theimpersonation server 102 may determine that it is more likely than notthat no impersonation is taking place (e.g., it is unlikely the allegedimpersonator copied content that had not yet been added to the allegedvictim's page). For the signals 120 a-b, 120 c, and 120 g, the timestampinformation from columns 118 c and 118 e indicates that name, location,photo, and email content originated on the profile 104 of the allegedvictim (on Oct. 10, 2005) before appearing on the profile 106 of thealleged impersonator (on Nov. 11, 2005). The impersonation server 102can use this timestamp information to determine that each of the signals120 a-b, 120 c, and 120 g indicates impersonation.

For the signal 120 c, the impersonation server 102 can compare a numberof friends 112 g (or other acquaintance relationships on a socialnetwork) that the alleged victim has with a number of friends 114 g forthe alleged impersonator. The number of friends associated with thealleged impersonator's profile page 106 can be inversely correlated witha likelihood of impersonation—a smaller number of friends for thealleged impersonator's profile page 106 can indicate a greaterlikelihood of impersonation. In this example, impersonation is indicatedby the alleged victim having more friends (e.g., the alleged victim ismore active on and/or involved with the social network) than the allegedimpersonator.

A variety of other aspects of acquaintance relationships (friends) canbe examined to indicate impersonation, such as a number of overlappingacquaintance relationships (e.g., friends the alleged victim and thealleged impersonator have in common), comparing timestamps at whichpoint each of the overlapping acquaintance relationship was established(e.g., did the alleged impersonator or the alleged victim add Alice as afriend first), interactions via acquaintance relationships (e.g.,messages sent to a friend, view of a friend's profile page, etc.), etc.

For the signal 120 f, the impersonation server 102 can compare a numberof times that the profile page 104 has been flagged by other users ofthe social network in comparison to a number of times the profile page106 has been flagged. A user's profile page can be flagged by otherusers for a variety of reasons, including another user believing theprofile page is an imposter, the profile page displayinginappropriate/offensive content, etc. The number of times that thealleged impersonator's profile page 106 is flagged can correlate to alikelihood of impersonation—a greater number of flags for the allegedimpersonator's profile page 106 can indicate a greater likelihood ofimpersonation by the alleged impersonator. In this example,impersonation is indicated by the profile page 106 of the allegedimpersonator having been flagged (two times) more than the profile page104 of the alleged victim (flagged zero times).

For the signal 102 h, the impersonation server 102 can compare a levelof activity on a social network for the alleged impersonator with alevel of activity for the alleged victim. Activity on a social networkcan be gauged in a variety of ways, including through interaction withother users (e.g., messages sent to and/or received from other users,views of other users' pages, interaction with other users through onlineapplications (e.g., games, messaging, etc.)), updates/additions to thecontent of a user's profile page, etc. Activity on a social network bythe alleged impersonator can be inversely correlated to a likelihood ofimpersonation—a smaller degree of activity by the alleged impersonatorcan indicate a greater likelihood of impersonation. In this example,impersonation is indicated by the profile page 104 for the allegedvictim having a greater level of activity (high) on the social networkthan the profile page 106 for the alleged impersonator (low activity).

For the signal 120 i, the impersonation server 102 can compare communitymemberships for the alleged victim with community memberships for thealleged impersonator. Social networks can have communities to whichusers belong. Communities can be user created and can be centered ontopics, themes, geographic location, educational institutionaffiliation, etc. A greater number of community memberships for thealleged impersonator can be inversely correlated to a likelihood ofimpersonation—a smaller number of community memberships for the allegedimpersonator can indicate that impersonation by the alleged impersonatoris more likely. In this example, an indicator contrary to impersonationis determined by the alleged impersonator having a greater amount ofcommunity memberships (medium) than the alleged victim (low communitymemberships).

For the signal 120 j, the impersonation server 102 can compare the ageof the profile 104 of the alleged victim with the age of the profile 106of the alleged impersonator. For the alleged impersonator, length ofexistence on the social network can be correlated to likelihood ofimpersonation—the shorter the alleged impersonator's profile 106 hasexisted on the social network, the more likely it is to be impersonatingthe alleged victim's profile 104. In this example, no indicator ofimpersonation is provided for the signal 120 j (the signal 120 j isneutral) as the alleged victim's profile 104 and the allegedimpersonator's profile 106 have roughly the same age (approximately 3.5years) on the social network.

The signals 120 a-j are described above for illustrative purposes.Additional signals and additional aspects of the signals 120 a-j aredetailed below.

The impersonation server 102 combines the indicators of impersonation(column 118 f) for the detected signals 120 a-j to determine thelikelihood that the alleged impersonator's profile page 106 isimpersonating the alleged victim's profile page 104. The indicators canbe combined so as to take into account the strength by which each signal120 a-j provides an indication of or contrary to impersonation. Theimpersonation server 102 determines a likelihood of impersonation basedupon the combined indicators and returns the output 110 indicating thedetermined likelihood. Given the similarities and the signals ofimpersonation between the alleged victim's profile 104 and the allegedimpersonator's profile 106, in the depicted example the impersonationserver 102 returns a high likelihood of impersonation as the output 110.

FIG. 2 is a diagram of another example system 200 for detectingimpersonation of a user profile page on a social network. Similar to thesystem 100 described above with regard to FIG. 1, the system 200 depictsa server system 202 that is capable of detecting a likelihood ofimpersonation between user profiles (e.g., an alleged impersonator'sprofile page and an alleged victim's profile page) on a social network.The server system 202 can receive a claim of impersonation from a clientcomputer 204 over a network 206. The server system 202 can also receivea claim of impersonation from a social network server 208 over thenetwork. The social network server 208 can host a social network 210 ofusers. The depicted social network 210 is represented as a social graphof users and acquaintance relationships (e.g., friendship, businessrelationship, colleague, neighbor, etc.), where the users are nodes(e.g., A, B, etc.) and the acquaintance relationships are the verticesconnecting the nodes.

The client computer 204 can be any sort of computing device capable oftaking input from a user and communicating over the network 208 with theserver system 202. For instance, the client computer 204 can be adesktop computer, a laptop, a cell phone, a PDA, a server, a embeddedcomputing system, etc. The client computer 204 includes an impersonationclaim module 212 that is capable of receiving input from a user andformulating a claim of impersonation to send to the server system 202regarding impersonation by a user of the social network 210. A claim ofimpersonation can identify an alleged impersonator and an allegedvictim. The impersonation claim module 212 transmits an impersonationclaim from the client computer 204 to the server system 202 via aninput/output (I/O) interface 214. The I/O interface 214 can be any typeof interface capable of communicating with the server system 202 overthe network 206, such as an Ethernet interface, a wireless networkinginterface, a fiber-optic networking interface, a modem, etc.

The network 206 can be any of a variety of networks over which theclient computer 204, the server system 202, and the social networkserver 208 can communicate. For example, the network can be a local areanetwork (LAN), a wide area network (WAN), the Internet, an intranet, awireless network, a point-to-point network, etc. The network 208transmits a claim of impersonation from the client computer 204 to theserver system 202.

The server system 202 can be any of a variety of computing devicescapable of detecting impersonation, such as a server, a distributedcomputing system, a desktop computer, a laptop, a cell phone, arack-mounted server, etc. The server system 202 can receive animpersonation claim from the client computer 204 via the network 206 atan I/O interface 216 for the server system 202. The I/O interface 216can be similar to the I/O interfaces 214 of the client computer 204. TheI/O interface 216 provides the received impersonation claim to a profileretrieving component 218 of the server system 202. The profileretrieving component 218 can retrieve information regarding profilesspecified in the received claim (e.g., the alleged victim's profile, thealleged impersonator's profile) from some or all data repositories 220a-e.

The data repositories 220 a-e contain information displayed on andrelated to user profile pages. The profile data repository 220 acontains data for fields of a profile page (e.g. name field, locationfield, etc.). The profile photo repository 220 b contains photos andimages that are displayed on or associated with a profile page (e.g.,the photos 112 b and 114 b from FIG. 1). The activity data repository220 c contains information associated with a user's level of activity ona social network (e.g., messages sent to other users, friends and/orfans on the social network, data regarding frequency of profile updatesand/or logins to the social network, etc.). The community datarepository 220 c contains data regarding community memberships for auser. The repository of negative and defamatory content 220 e caninclude data associated with a user's profile page that has been flaggedby other users and/or identified as being offensive (e.g., negative,pornographic, etc.) or defamatory—the presence of such content on auser's profile page may indicate the profile page is impersonatinganother user's profile page. The data repositories 220 a-e can beaccessed remotely by the server system 202 and may be populated withdata from the social network server 208.

The profile information retrieved by the profile retrieving component218 can be provided to the comparison module 222. The comparison module222 can compare the profile information for the alleged impersonator andthe alleged victim to identify similarities and dissimilarities. Avariety of comparisons can be performed, such as text-based comparisons(e.g., edit distance) and image-based comparisons (e.g., image signaturecomparison). The comparison module 222 can identify a degree ofsimilarity between elements (e.g., fields, photos, activity level, etc.)of the alleged impersonator's profile page and the alleged victim'sprofile page.

The comparison module 222 can provide results from comparing the allegedimpersonator with the alleged victim to an impersonation signal detector224. Similar to the discussion regarding the table 116 with regard tothe impersonation server 102 depicted in FIG. 1, the impersonationsignal detector 224 can identify signals of impersonation (as well assignals contrary to impersonation) based on the comparison resultsprovided by the comparison module 222. A variety of signals (indicators)can be detected, including some or all of the signals 120 a-j describedabove with regard to FIG. 1. Additional signals described below withregard to FIG. 3A can be detected as well.

The impersonation signal detector 224 can provide the detected signals(indicators) of impersonation to an impersonation analysis component226, which can analyze the detected signals to determine a likelihood ofimpersonation by the alleged impersonator's profile page. Similar to thedescription above with regard to FIG. 1, the impersonation analysiscomponent 226 can determine a likelihood of impersonation by combiningthe detected signals. In combining the detected signals, theimpersonation analysis component 226 may weight the detected signalsaccording to how strongly each detected signal indicates impersonation.For instance, assume a first signal (indicator) of impersonation regardsthe alleged impersonator having the same name and location as thealleged victim and a second signal of impersonation regards the allegedimpersonator sharing an interest with the alleged victim. In such anexample, the impersonation analysis component 226 may give the firstsignal a greater weight than the second signal when combining thedetected signals of impersonation—the first signal more stronglyindicates impersonation than the second signal.

The impersonation analysis component 226 can additionally determine alikelihood of impersonation based upon a variety of thresholds againstwhich the combined signals (indicators) of impersonation are compared.For example, the impersonation analysis component 226 may use a firstthreshold and a second threshold for making determinations. The firstthreshold may designate a level of impersonation signals above whichimpersonation is highly likely and below which impersonation is likely,but not certain. The second threshold may be less than the firstthreshold and may designate a level of impersonation signals above whichimpersonation is likely, but not certain, and below which impersonationis unlikely. Threshold levels may vary and any number of thresholds maybe used by the impersonation analysis component 226. Thresholdvariations can depend a variety of factors, such as a type of socialnetwork 210 (e.g., friendship, business networking, etc.) on whichimpersonation is being detected, a geographic area for the allegedvictim and/or alleged impersonator, etc.

The impersonation analysis component 226 can provide a reporting module228 with a determined likelihood of impersonation for the receivedimpersonation claim (from the client computer 204 and/or the socialnetwork server 208). The reporting module 228 can respond to the partythat submitted the impersonation claim with the results of theimpersonation detection by the server system 202. The reporting module228 can additionally contact the social network server 208 to delete orfreeze the account of the alleged impersonator if the impersonationanalysis component 226 has indicated a high likelihood of impersonation.The reporting module 228 may also place the impersonation claim in aqueue of claims for manual review if there is impersonation is likely,but not certain. The reporting module 228 can interact with the socialnetwork server 208 and the client computer 204 via the I/O interface 216and the network 206.

FIGS. 3A-B are flowcharts depicting example processes 300 and 350 fordetecting impersonation of a user profile page on a social network. Theprocesses 300 and 350 may be performed, for example, by a system such asthe systems 100 and 200 and, for clarity of presentation, thedescription that follows uses the systems 100 and 200 as the basis of anexample for describing the processes. However, another system, orcombination of systems, may be used to perform the processes 300 and350.

FIG. 3A is a flowchart depicting the example process 300 for detectingimpersonation of a user profile page on a social network. The process300 can be performed by any of a variety of servers and/or computingdevices, such as the impersonation server 102 described above withregard to FIG. 1 and/or the server system 202 described above withregard to FIG. 2.

At step 302, a claim is received that identifies a first user profilepage as allegedly impersonating a second user profile page. For example,the received claim can identify the profile page 106 of the allegedimpersonator and the profile page 104 of the alleged victim, asdescribed above with regard to FIG. 1. The claim can be received fromany of a variety of sources, such as the client computer 204 and/or thesocial network server 208, described above with regard to FIG. 2.

The claim is verified as having been made by a user who corresponds tothe first user profile page (step 304). For example, the server system202 may verify with the social network server 208 that the usersubmitting the claim of impersonation is the same as the alleged victim,as described above with regard to FIG. 2. First information associatedwith the first user profile page and second information associated withthe second user profile page is retrieved (step 306). For example, dataregarding the profile page of the alleged impersonator and the profilepage of the allege victim can be retrieved from the data repositories220 a-e by the profile retrieving component 218, as described above withregard to FIG. 2.

At step 308, the first information is compared with the secondinformation to identify indicators of impersonation. The firstinformation can also be compared with the second information to identifyindicators contrary to impersonation (step 310). For instance, thecomparison module 222 can compare data regarding profile pages of analleged impersonator and an alleged victim and the impersonation signaldetector 224 can identify signals (indicators) of impersonation andsignal contrary to impersonation, as described above with regard to FIG.2.

The first information can be analyzed for additional indicators ofimpersonation as well (step 312). As described above, the profile pageof an alleged impersonator may contain indicators (signals) ofimpersonation that can be detected without comparison to the profilepage of the alleged victim. For instance, an additional indicator ofimpersonation can include the profile page of the alleged impersonatorcontaining content that is obscene, pornographic, illegal, defamatory,negative, offensive, etc. Additionally, several of the indicators ofimpersonation 120 a-j described above with regard to FIG. 1 can begenerated by examining the profile page of the alleged impersonatoralone. For example, the indicators of (and/or contrary to) impersonation120 f, 120 h, and 120 j can be generated based upon the informationassociated with the profile 106 of the alleged impersonator (e.g.,impersonation can be indicated for the signal 120 f by the allegedimpersonator having been flagged twice).

At step 314, the first user profile page is determined to likely beimpersonating the second user profile page based on the detectedindicators. For example, the impersonation analysis component 226determines a likelihood of impersonation based upon the detectedindicators of impersonation, as described above with regard to FIG. 2. Aflag indicating that the first user profile page is likely impersonatingthe second user profile page is returned (step 316). For instance, thereporting module 228 can return a flag to the client computer 204 and/orto the social network server 208 indicating that a likelihood ofimpersonation for the received impersonation claim, as described abovewith regard to FIG. 2.

FIG. 3B is a flowchart depicting the example process 350 for detectingimpersonation of a user profile page on a social network. Morespecifically, the example process 350 regards identifying indicators ofimpersonation and, based upon the identified indicators, determining alikelihood of impersonation. The process 350 can be performed by any ofa variety of servers and/or computing devices, such as the impersonationserver 102 described above with regard to FIG. 1 and/or the serversystem 202 described above with regard to FIG. 2.

At step 352, the fields of a profile page of an alleged impersonator arecompared against the fields of a profile page of an alleged victim toidentify indicators of impersonation and/or indicators contrary toimpersonation. Such a comparison can involve a per-field comparison ofthe two profile pages (e.g., the name field 112 a of the allegedvictim's profile page 104 is compared with the name field 114 a of thealleged victim's profile page 106, the location field 112 c is comparedagainst the location field 114 c, etc.). The comparison can includecomparing current and previous values for each field. For example,assume the alleged victim's employer field was changed from “Acme” to“XY Corp.” and that the alleged impersonator's employer field is “Acme.”The current value (“XY Corp.”) of the alleged victim's employer field aswell as the previous value (“Acme”) can be compared against the currentvalue (as well as any previous values) of the alleged impersonator'semployer field. Similarity between fields of the alleged victim and thealleged impersonator can be indicators of impersonation.

Step 352 can involve comparing some or all of the fields of the allegedvictim's profile page and the alleged impersonator's profile page.Fields that can be compared depend on the fields available on the socialnetwork (e.g., friendship network, business networking site, etc.) ofthe alleged victim and impersonator. For example, fields that can becompared may include name, geographic location, occupation, employer,education institutions attended, contact information (e.g., email,phone, physical address, etc.), images, videos, songs, work history,skills, interests, certifications, etc.

As demonstrated above with regard to the chart 116 depicted in FIG. 1,field comparisons can take into account the timing by which similarcontent was added to a field of the alleged impersonator's profile andto a field of the alleged victim's profile. If similar content was addedto an alleged impersonator's profile after it was added to an allegedvictim's profile page, the timing can indicate impersonation.Conversely, if similar content was added to an alleged impersonator'sprofile before it was added to an alleged victim's profile page, thetiming can be an indicator contrary to impersonation. For instance, ifthe alleged impersonator updated its employer field to recite “Acme”before the alleged victim did so, then impersonation is not indicated bythis comparison (the alleged impersonator could not copy the allegedvictim's field)—such a comparison can identify an indicator contrary toimpersonation.

Indicators of impersonation (and indicators contrary to impersonation)can be weighted according to how strongly they each indicateimpersonation. Strength of impersonation can be based on the similarityof the fields (e.g., fields that are more similar (e.g., identical) canmore strongly indicate impersonation than fields that are less similar),the type of field (e.g., identifying field (name, contact information),interest field, etc.), and/or the timing of the two fields (see previousparagraph). For instance, a name field identically matching can morestrongly indicate impersonation than an interest field.

In addition to the other mentioned factors, strength of impersonationmay also be based upon how common the similar/matching value is for afield on the social network, within a sub-graph (a collection of usersthat is connected by acquaintance relationships and reasonably separatefrom other, unconnected users) on the social network, and/or within ageographic region (e.g., North America, Europe, etc.). For example, ifthe name “Bob” is more common on a social network than then name“Roberto,” then a match for the name “Roberto” may more stronglyindicate impersonation than a match for the name “Bob.”

At step 354, sensitive fields of the alleged victim can be comparedagainst the entire profile of the alleged impersonator (e.g.,cross-field comparison can be performed) to identify indicators ofimpersonation and/or indicators contrary to impersonation. Sensitivefields can include fields that identify a user and/or provide contactinformation outside of the social network for a user, such as a namefield, a phone number field, an email field, etc. For instance, if analleged victim's name and email address are located in an “about me”field of the alleged impersonator's profile page, then a match for thename and email fields of the alleged victim is found. Although subjectto the same strength of impersonation factors (e.g., degree ofsimilarity, timing, commonality on the social network, field type, etc.)discussed above, a match of sensitive information can generally indicateimpersonation more strongly than other non-sensitive information.

At step 356, photos and/or images contained on the profile page of thealleged victim and the profile page of the alleged impersonator arecompared to identify indicators of impersonation and/or indicatorscontrary to impersonation. As described above with regard to FIGS. 1 and2, photos and/or images can be compared using a variety of techniques,including comparing photo/image signatures, performing a visualphoto/image comparison, comparing photo/image metadata (e.g., time ofcreation, identity of author, etc.), performing facial recognition onthe alleged impersonator's photos/images using an photo of the allegedvictim's face to identify non-matching images that pertaining to thealleged victim, etc. Some or all of the photos and/or images containedon an alleged victim's page can be compared against the photos and/orimages contained on the alleged impersonator's profile page. Althoughsubject to the same strength of impersonation factors (e.g., degree ofsimilarity, timing, commonality on the social network, field type, etc.)discussed above, a match of a photo and/or an image can indicateimpersonation more strongly than some field matches, such asnon-sensitive fields.

For instance, a photo on the alleged victim's profile page that wasadded before and matches a photo on the alleged impersonator's profilepage may strongly indicate impersonation. Conversely, a photo on thealleged victim's profile page that was added after and matches a photoon the alleged impersonator's profile page may provide a strongindication contrary to impersonation.

Friends of the alleged impersonator and friends of the alleged victimcan be compared to identify indicators of impersonation and/orindicators contrary to impersonation (step 358). Various aspects of thefriends of the alleged impersonator and the alleged victim can becompared to identify indicators of impersonation and/or indicatorscontrary to impersonation. For instance, if the alleged impersonator hasmore friends than the alleged victim, an indicator contrary toimpersonation can be identified. In another example, if the allegedimpersonator and the alleged victim are friends, a strong indicatoragainst impersonation can be identified. In a further example, if alarge number of friends of the alleged victim have flagged the profileof the alleged impersonator (e.g., identified the alleged impersonator'sprofile as being fake), a strong indicator of impersonation can beidentified.

Depending on a variety of factors (e.g., a type of social network, howfriendship relationships are used by the alleged impersonator and thealleged victim, timing of when friendship relationships of a commonfriend were established, etc.), an analysis of whether the matching setsof friends can either be an indicator of impersonation or an indicatorcontrary to impersonation. For instance, an alleged impersonator adding(or attempting to add—sending friend requests) a group of the allegedvictim's friends after they were added by the alleged victim may be anindicator of impersonation.

At step 360, community memberships of the alleged impersonator and ofthe alleged victim can be compared to identify indicators ofimpersonation and/or indicators contrary to impersonation. A variety ofindicators of impersonation can be identified based upon communitymemberships of the alleged impersonator and the alleged victim. Forexample, if the alleged impersonator is a member of a community that hasbeen deleted and/or a member of community that has been flagged (forhaving content that is inappropriate, pornographic, obscene, etc.) alarge number of times in relation to the community having a small numberof members (as compared with other communities on the social network),then an indicator of impersonation can be identified. In anotherexample, if the alleged impersonator and the alleged victim share athreshold amount (as a percentage or a raw number) communities, then anindicator of impersonation can be identified. In a further example, ifthe alleged impersonator is the creator (e.g., owner) of one or morecommunities that have a moderate number of members (in relation to othercommunities on the social network) and that have not been flagged, thenan indicator contrary to impersonation can be identified.

An age of the alleged impersonator's profile page can be compared withan age of the alleged victim's profile page to identify indicators ofimpersonation and/or indicators contrary to impersonation (step 362). Anindictor of impersonation can be identified for the alleged victim'sprofile is older than the alleged impersonator's page. The strength ofthe indication of impersonation can be based on the relative differencein age between the two profile pages. For instance, a strongerindication of impersonation can be identified if the alleged victim'sprofile page was created five years ago and the alleged impersonator'sprofile page was created a week ago than if the alleged victim's profilepage was created two years ago and the alleged impersonator's profilepage was create a year and a half ago. Conversely, an indicator contraryto impersonation can be identified if the alleged victim's profile pageis younger (created after) the alleged impersonator's profile page.

At step 364, activity on the social network for the allegedimpersonator's profile can be compared against activity related to thealleged victim's profile to identify indicators of impersonation and/orindicators contrary to impersonation. Activity on a social networkassociated with a user's profile can be gauged from a variety ofsources, such as a number of messages sent and/or received on the socialnetwork, a number of fans on the social network, a number of flags fromother users, a number of friends on the social network, frequency ofprofile updates and page views, etc. If the alleged victim is determinedto have a greater level of activity than the alleged impersonator, thenan indicator of impersonation can be identified. The strength of such anindicator can depend on the disparity in activity between the allegedvictim and the alleged impersonator—a greater disparity can provide astronger indication of impersonation while a small disparity can providelittle, if any, indication of impersonation. Conversely, if the allegedvictim is determined to have a lower level of activity than the allegedimpersonator, then an indicator contrary to impersonation can beidentified.

Additionally, activity trends can be taken into account when making suchdeterminations. Consistent activity on the social network by the allegedvictim juxtaposed against sporadic, heavy levels of activity by thealleged impersonator can provide an indication of impersonation. Forexample, if the alleged victim sends between ten and twenty messages aweek while the alleged impersonator sends one hundred messages in asingle day and then no messages for months, then an indicator ofimpersonation can be identified.

Services provided on the social network (e.g., online games,applications permitting online collaboration with other users, email,blogging, etc.) that are associated with the alleged impersonator andthe alleged victim can be compared to identify indicators ofimpersonation and/or indicators contrary to impersonation (step 366). Ifthe alleged victim is associated with more services than the allegedimpersonator, then an indicator of impersonation can be identified.Similar to other indicators discussed above, a strength of such anindicator can depend on a disparity between the services associated withthe alleged victim and the alleged impersonator—the greater thedisparity, the greater the more strongly impersonation is indicated.Conversely, if the alleged impersonator is associated with more servicesthan the alleged victim, then an indicator contrary to impersonation canbe identified.

At step 368, the profile of the alleged impersonator is analyzed toidentify indicators of impersonation and/or indicators contrary toimpersonation. Indicators of impersonation can be identified with regardto the profile page of the alleged impersonator without consideration ofthe profile page of the alleged victim, as described above with regardto FIGS. 1 and 2. A variety of indicators of impersonation can bedetected from the profile page of the alleged impersonator, includingsome indicators discussed above with regard to steps 352-366. Forinstance, fields of the alleged impersonator's profile page containingcontent that defames the purported user associated with the page canindicate impersonation. In another example, fields, photos, and/orimages that contain obscene, offensive, pornographic, and/or illegalcontent can indicate impersonation as well.

Some or all of the indicators of impersonation (and/or the indicatorscontrary to impersonation) identified in steps 352-368 can be combinedto determine whether there is a high likelihood that the allegedimpersonator is impersonating the alleged victim (step 370). Theindicators can be combined in a variety of manners, as described abovewith reference to FIGS. 1 and 2. As described above with regard to theimpersonation analysis component 226 and the reporting module 228 of theserver system 202, a threshold can be used to determine whether thecombined indicators of impersonation correspond to a high likelihood ofimpersonation.

If a high likelihood of impersonation is determined, then the profile ofthe alleged impersonator can be deleted from the social network (step372). If a high likelihood of impersonation is not determined, then adetermination can be made as to a medium likelihood of impersonation(e.g., impersonation is likely, but not certain enough to warrantautomatic deletion of the alleged impersonator) (step 374). Thedetermination can be made similar to the determination made at step 370but with a lower threshold. If a medium likelihood of impersonation isdetected, then the profile of the alleged impersonator can be flaggedfor further review (e.g., manual review by a human). If a mediumlikelihood of impersonation is not determined (e.g., there is a lowlikelihood of impersonation), then the process 350 can end. In someimplementations, if a low likelihood of impersonation is determined, thealleged victim can be asked to send in photo identification (e.g., apassport, a driver's license, etc.) to further substantiate the claim ofimpersonation.

In various implementations, scoring method can be used to determine alikelihood of impersonation. In such scoring methods, each indicator ofimpersonation and indicator contrary to impersonation can be assigned ascore that corresponds to how strongly impersonation is indicated (ornot indicated) by the detected signal of impersonation. For example, astrong indicator of impersonation (e.g., matching name fields betweenthe alleged impersonator and the alleged victim) may receive a scorethat is two times, five times, ten times, twenty times, fifty times,etc. greater than a weak indicator of impersonation (e.g., matchinginterest fields between the alleged impersonator and the allegedvictim). Scores assigned to indicators can vary among social networks(e.g., a friendship network, a business networking site, etc.),geographic locations, sub-graphs of a social network, etc.

In some implementations, indicators of impersonation can receivepositive scores and indicators contrary to impersonation can receivenegative scores. In such implementations, the scores for indicators canbe aggregated into a match score for the alleged impersonator and thealleged victim (e.g., indicators of impersonation increase the matchscore and indicators contrary to impersonation decrease the matchscore). Determining a degree of likelihood of impersonation (e.g., ahigh likelihood, a medium likelihood, etc.) can involve comparing thescore to various thresholds. For example, if the match score exceeds athreshold corresponding to a high likelihood of impersonation, then thealleged impersonator can be determined to have a high likelihood ofimpersonation. Similar to scores, threshold levels can vary among socialnetworks (e.g., a friendship network, a business networking site, etc.),geographic locations, sub-graphs of a social network, etc.

Scoring thresholds can be determined in a variety of ways, such as byanalyzing match scores produced for known cases of impersonation (e.g.,alleged impersonator is impersonating the alleged victim) and/or knowncases without impersonation (e.g., alleged impersonator is notimpersonating the alleged victim). For example, thresholds can begenerated through an automated analysis on a large sample of manuallyresolved claims of impersonation. Such an automated analysis can producea histogram depicting the frequency of scores for both “impersonation”and “not impersonation” cases. Various thresholds can be determined fromthe histogram and the frequencies it depicts.

Various scores for indicators of impersonation and/or indicatorscontrary to impersonation can be capped at a maximum (or minimum) value.For instance, by using capping, a strong indicator of impersonation maynot single-handedly boost the match score above any of the variousthresholds that correspond to a likelihood of impersonation.Additionally, categories of scores for indicators of impersonation canadditionally be capped. For instance, a maximum score may be contributedfrom matching photos.

FIG. 4 is a timeline 400 of an example process for detectingimpersonation of a user profile page on a social network. The exampleprocess can be performed by a client computer 402, an impersonationserver system 404, and a repository of social network profile data 406,which may be similar to and/or correspond to the client computer 204,the impersonation server systems 102 and 202, and the data repositories220 a-e, respectively. Similarly, the example process depicted on thetimeline 400 may be similar to the processes 300 and/or 350, describedabove with respect to FIGS. 3A-B.

At time 408, the client computer 408 submits an impersonation claim tothe impersonation server 404. The submitted claim of impersonation caninclude the identity of an alleged impersonator and the identity of analleged victim. At time 410, the impersonation server retrieves profiledata for the alleged victim and the alleged impersonator from therepository of social network profile data 406. At time 412, therepository of social network repository data returns profile data forthe alleged victim and the alleged impersonator to the impersonationserver 404.

At time 414, the impersonation server 404 compares the retrieved profiledata for the alleged victim with the profile data for the allegedimpersonator to detect signals (indicators) of impersonation. In variousimplementations, the impersonation server 404 can score the detectedsignals of impersonation, as described above with regard to FIG. 3B. Attime 416, the impersonation server 404 analyzes the profile of thealleged impersonator for signals of impersonation, similar to theanalysis described with regard to step 368.

At time 418, the impersonation server 404 determines a likelihood thatimpersonation is taking place (e.g., a likelihood that the allegedimpersonator is impersonating the alleged victim) based on the detectedsignals. In various implementations, the impersonation server 404 maymake such a determination by comparing a match score to variousthresholds corresponding to various likelihoods of impersonation. Attime 420, the client computer 402 receives notification from theimpersonation server 404 regarding a likelihood of impersonation. Insome implementations, at time 422 the impersonation server 404 sends anotification to a social network server (not depicted) regardingdeletion of the alleged impersonator's profile page and/or indicatingthe manual review of the alleged impersonator's profile page should beconducted.

FIG. 5 is a block diagram of computing devices 500, 550 that may be usedto implement the systems and methods described in this document, aseither a client or as a server or plurality of servers. Computing device500 is intended to represent various forms of digital computers, such aslaptops, desktops, workstations, personal digital assistants, servers,blade servers, mainframes, and other appropriate computers. Computingdevice 550 is intended to represent various forms of mobile devices,such as personal digital assistants, cellular telephones, smartphones,and other similar computing devices. Additionally computing device 500or 550 can include Universal Serial Bus (USB) flash drives. The USBflash drives may store operating systems and other applications. The USBflash drives can include input/output components, such as a wirelesstransmitter or USB connector that may be inserted into a USB port ofanother computing device. The components shown here, their connectionsand relationships, and their functions, are meant to be exemplary only,and are not meant to limit implementations of the inventions describedand/or claimed in this document.

Computing device 500 includes a processor 502, memory 504, a storagedevice 506, a high-speed interface 508 connecting to memory 504 andhigh-speed expansion ports 510, and a low speed interface 512 connectingto low speed bus 514 and storage device 506. Each of the components 502,504, 506, 508, 510, and 512, are interconnected using various busses,and may be mounted on a common motherboard or in other manners asappropriate. The processor 502 can process instructions for executionwithin the computing device 500, including instructions stored in thememory 504 or on the storage device 506 to display graphical informationfor a GUI on an external input/output device, such as display 516coupled to high speed interface 508. In other implementations, multipleprocessors and/or multiple buses may be used, as appropriate, along withmultiple memories and types of memory. Also, multiple computing devices500 may be connected, with each device providing portions of thenecessary operations (e.g., as a server bank, a group of blade servers,or a multi-processor system).

The memory 504 stores information within the computing device 500. Inone implementation, the memory 504 is a volatile memory unit or units.In another implementation, the memory 504 is a non-volatile memory unitor units. The memory 504 may also be another form of computer-readablemedium, such as a magnetic or optical disk.

The storage device 506 is capable of providing mass storage for thecomputing device 500. In one implementation, the storage device 506 maybe or contain a computer-readable medium, such as a floppy disk device,a hard disk device, an optical disk device, or a tape device, a flashmemory or other similar solid state memory device, or an array ofdevices, including devices in a storage area network or otherconfigurations. A computer program product can be tangibly embodied inan information carrier. The computer program product may also containinstructions that, when executed, perform one or more methods, such asthose described above. The information carrier is a computer- ormachine-readable medium, such as the memory 504, the storage device 506,or memory on processor 502.

The high speed controller 508 manages bandwidth-intensive operations forthe computing device 500, while the low speed controller 512 manageslower bandwidth-intensive operations. Such allocation of functions isexemplary only. In one implementation, the high-speed controller 508 iscoupled to memory 504, display 516 (e.g., through a graphics processoror accelerator), and to high-speed expansion ports 510, which may acceptvarious expansion cards (not shown). In the implementation, low-speedcontroller 512 is coupled to storage device 506 and low-speed expansionport 514. The low-speed expansion port, which may include variouscommunication ports (e.g., USB, Bluetooth, Ethernet, wireless Ethernet)may be coupled to one or more input/output devices, such as a keyboard,a pointing device, a scanner, or a networking device such as a switch orrouter, e.g., through a network adapter.

The computing device 500 may be implemented in a number of differentforms, as shown in the figure. For example, it may be implemented as astandard server 520, or multiple times in a group of such servers. Itmay also be implemented as part of a rack server system 524. Inaddition, it may be implemented in a personal computer such as a laptopcomputer 522. Alternatively, components from computing device 500 may becombined with other components in a mobile device (not shown), such asdevice 550. Each of such devices may contain one or more of computingdevice 500, 550, and an entire system may be made up of multiplecomputing devices 500, 550 communicating with each other.

Computing device 550 includes a processor 552, memory 564, aninput/output device such as a display 554, a communication interface566, and a transceiver 568, among other components. The device 550 mayalso be provided with a storage device, such as a microdrive or otherdevice, to provide additional storage. Each of the components 550, 552,564, 554, 566, and 568, are interconnected using various buses, andseveral of the components may be mounted on a common motherboard or inother manners as appropriate.

The processor 552 can execute instructions within the computing device550, including instructions stored in the memory 564. The processor maybe implemented as a chipset of chips that include separate and multipleanalog and digital processors. Additionally, the processor may beimplemented using any of a number of architectures. For example, theprocessor 410 may be a CISC (Complex Instruction Set Computers)processor, a RISC (Reduced Instruction Set Computer) processor, or aMISC (Minimal Instruction Set Computer) processor. The processor mayprovide, for example, for coordination of the other components of thedevice 550, such as control of user interfaces, applications run bydevice 550, and wireless communication by device 550.

Processor 552 may communicate with a user through control interface 558and display interface 556 coupled to a display 554. The display 554 maybe, for example, a TFT (Thin-Film-Transistor Liquid Crystal Display)display or an OLED (Organic Light Emitting Diode) display, or otherappropriate display technology. The display interface 556 may compriseappropriate circuitry for driving the display 554 to present graphicaland other information to a user. The control interface 558 may receivecommands from a user and convert them for submission to the processor552. In addition, an external interface 562 may be provide incommunication with processor 552, so as to enable near areacommunication of device 550 with other devices. External interface 562may provide, for example, for wired communication in someimplementations, or for wireless communication in other implementations,and multiple interfaces may also be used.

The memory 564 stores information within the computing device 550. Thememory 564 can be implemented as one or more of a computer-readablemedium or media, a volatile memory unit or units, or a non-volatilememory unit or units. Expansion memory 574 may also be provided andconnected to device 550 through expansion interface 572, which mayinclude, for example, a SIMM (Single In Line Memory Module) cardinterface. Such expansion memory 574 may provide extra storage space fordevice 550, or may also store applications or other information fordevice 550. Specifically, expansion memory 574 may include instructionsto carry out or supplement the processes described above, and mayinclude secure information also. Thus, for example, expansion memory 574may be provide as a security module for device 550, and may beprogrammed with instructions that permit secure use of device 550. Inaddition, secure applications may be provided via the SIMM cards, alongwith additional information, such as placing identifying information onthe SIMM card in a non-hackable manner.

The memory may include, for example, flash memory and/or NVRAM memory,as discussed below. In one implementation, a computer program product istangibly embodied in an information carrier. The computer programproduct contains instructions that, when executed, perform one or moremethods, such as those described above. The information carrier is acomputer- or machine-readable medium, such as the memory 564, expansionmemory 574, or memory on processor 552 that may be received, forexample, over transceiver 568 or external interface 562.

Device 550 may communicate wirelessly through communication interface566, which may include digital signal processing circuitry wherenecessary. Communication interface 566 may provide for communicationsunder various modes or protocols, such as GSM voice calls, SMS, EMS, orMMS messaging, CDMA, TDMA, PDC, WCDMA, CDMA2000, or GPRS, among others.Such communication may occur, for example, through radio-frequencytransceiver 568. In addition, short-range communication may occur, suchas using a Bluetooth, WiFi, or other such transceiver (not shown). Inaddition, GPS (Global Positioning System) receiver module 570 mayprovide additional navigation- and location-related wireless data todevice 550, which may be used as appropriate by applications running ondevice 550.

Device 550 may also communicate audibly using audio codec 560, which mayreceive spoken information from a user and convert it to usable digitalinformation. Audio codec 560 may likewise generate audible sound for auser, such as through a speaker, e.g., in a handset of device 550. Suchsound may include sound from voice telephone calls, may include recordedsound (e.g., voice messages, music files, etc.) and may also includesound generated by applications operating on device 550.

The computing device 550 may be implemented in a number of differentforms, as shown in the figure. For example, it may be implemented as acellular telephone 580. It may also be implemented as part of asmartphone 582, personal digital assistant, or other similar mobiledevice.

Various implementations of the systems and techniques described here canbe realized in digital electronic circuitry, integrated circuitry,specially designed ASICs (application specific integrated circuits),computer hardware, firmware, software, and/or combinations thereof.These various implementations can include implementation in one or morecomputer programs that are executable and/or interpretable on aprogrammable system including at least one programmable processor, whichmay be special or general purpose, coupled to receive data andinstructions from, and to transmit data and instructions to, a storagesystem, at least one input device, and at least one output device.

These computer programs (also known as programs, software, softwareapplications or code) include machine instructions for a programmableprocessor, and can be implemented in a high-level procedural and/orobject-oriented programming language, and/or in assembly/machinelanguage. As used herein, the terms “machine-readable medium”“computer-readable medium” refers to any computer program product,apparatus and/or device (e.g., magnetic discs, optical disks, memory,Programmable Logic Devices (PLDs)) used to provide machine instructionsand/or data to a programmable processor, including a machine-readablemedium that receives machine instructions as a machine-readable signal.The term “machine-readable signal” refers to any signal used to providemachine instructions and/or data to a programmable processor.

To provide for interaction with a user, the systems and techniquesdescribed here can be implemented on a computer having a display device(e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor)for displaying information to the user and a keyboard and a pointingdevice (e.g., a mouse or a trackball) by which the user can provideinput to the computer. Other kinds of devices can be used to provide forinteraction with a user as well; for example, feedback provided to theuser can be any form of sensory feedback (e.g., visual feedback,auditory feedback, or tactile feedback); and input from the user can bereceived in any form, including acoustic, speech, or tactile input.

The systems and techniques described here can be implemented in acomputing system that includes a back end component (e.g., as a dataserver), or that includes a middleware component (e.g., an applicationserver), or that includes a front end component (e.g., a client computerhaving a graphical user interface or a Web browser through which a usercan interact with an implementation of the systems and techniquesdescribed here), or any combination of such back end, middleware, orfront end components. The components of the system can be interconnectedby any form or medium of digital data communication (e.g., acommunication network). Examples of communication networks include alocal area network (“LAN”), a wide area network (“WAN”), peer-to-peernetworks (having ad-hoc or static members), grid computinginfrastructures, and the Internet.

The computing system can include clients and servers. A client andserver are generally remote from each other and typically interactthrough a communication network. The relationship of client and serverarises by virtue of computer programs running on the respectivecomputers and having a client-server relationship to each other.

Although a few implementations have been described in detail above,other modifications are possible. Moreover, other mechanisms fordetecting impersonation on a social network may be used. In addition,the logic flows depicted in the figures do not require the particularorder shown, or sequential order, to achieve desirable results. Othersteps may be provided, or steps may be eliminated, from the describedflows, and other components may be added to, or removed from, thedescribed systems. Accordingly, other implementations are within thescope of the following claims.

What is claimed is:
 1. A computer-implemented method comprising:receiving, using one or more computing devices, an indication thatidentifies a first user profile as allegedly impersonating a second userprofile; retrieving, using the one or more computing devices, firstprofile information associated with the first user profile and secondprofile information associated the second user profile; determining,using the one or more computing devices, similarities of elements in thefirst user profile information and corresponding elements in the seconduser profile information; based at least in part on the determinedsimilarities of elements in the first user profile information andcorresponding elements in the second user profile information,determining whether the first user profile is likely impersonating thesecond user profile; and when it is determined that the first userprofile is likely impersonating the second user profile, returning,using the one or more computing devices, a flag indicating that thefirst user profile is likely impersonating the second user profile. 2.The computer-implemented method of claim 1, further comprising:identifying one or more first times at which the elements in the firstuser profile information were added to the first user profile, and oneor more second times at which the corresponding elements in the secondprofile information were added to the second user profile; comparing theone or more first times with the one or more second times; and whereinthe determination of whether the first user profile is likelyimpersonating the second user profile is further based, at least inpart, on the comparison of the one or more first times with the one ormore second times.
 3. The computer-implemented method of claim 2,wherein impersonation of the second user profile by the first userprofile is indicated by i) at least a portion of the elements in thefirst user profile information being determined to have at least athreshold level of similarity to at least a portion of the correspondingelements in the second user profile information, and ii) the at least aportion of the elements in the first user profile information havingbeen added to the first user profile after the at least a portion of thecorresponding elements in the second user profile information were addedto the second user profile.
 4. The computer-implemented method of claim2, wherein no impersonation of the second user profile by the first userprofile is indicated by i) at least a portion of the elements in thefirst user profile information being determined to have at least athreshold level of similarity to at least a portion of the correspondingelements in the second user profile information, and ii) the at least aportion of the elements in the first user profile information havingbeen added to the first user profile before the at least a portion ofthe corresponding elements in the second user profile information wereadded to the second user profile.
 5. The computer-implemented method ofclaim 1, further comprising: determining whether the first user profileinformation includes particular content that i) mentions a user that ispurported to be associated with the first user profile or the seconduser profile in a negative manner, or ii) is of one or morepredetermined types of bad content; and wherein the determination ofwhether the first user profile is likely impersonating the second userprofile is further based, at least in part, on the determination ofwhether the first user profile information includes the particularcontent.
 6. The computer-implemented method of claim 5, wherein the oneor more predetermined types of bad content are selected from the groupconsisting of: obscene content, offensive content, pornographic content,and illegal content.
 7. The computer-implemented method of claim 1,wherein the elements in the first user profile information are selectedfrom the group consisting of: fields of the first user profile,sensitive fields of the first user profile, photos, identities of otherusers who are designated as friends, group memberships, a user age orbirthdate, social network activity of a user associated with the firstuser profile, and services associated with the first user profile.
 8. Asystem comprising: one or more computing devices; an interface of theone or more computing devices programmed to receive an indication thatidentifies a first user profile as allegedly impersonating a second userprofile; a user profile retrieving component programmed to retrievefirst profile information associated with the first user profile andsecond profile information associated the second user profile; animpersonation signal detector programmed to determine similarities ofelements in the first user profile information and correspondingelements in the second user profile information; an impersonationanalysis component programmed to determine whether the first userprofile is likely impersonating the second user profile based at leastin part on the similarities of elements in the first user profileinformation and corresponding elements in the second user profileinformation determined by the impersonation signal detector; and areporting module programmed to return a flag indicating that the firstuser profile is likely impersonating the second user profile when theimpersonation analysis component has determined that the first userprofile is likely impersonating the second user profile.
 9. The systemof claim 8, further comprising: a comparison module programmed tocompare one or more first times at which the elements in the first userprofile information were added to the first user profile, with one ormore second times at which the corresponding elements in the secondprofile information were added to the second user profile; and whereinthe impersonation analysis component is further programmed to determinewhether the first user profile is likely impersonating the second userprofile further based, at least in part, on the comparison of the one ormore first times with the one or more second times.
 10. The system ofclaim 9, wherein impersonation of the second user profile by the firstuser profile is indicated by i) at least a portion of the elements inthe first user profile information being determined to have at least athreshold level of similarity to at least a portion of the correspondingelements in the second user profile information, and ii) the at least aportion of the elements in the first user profile information havingbeen added to the first user profile after the at least a portion of thecorresponding elements in the second user profile information were addedto the second user profile.
 11. The system of claim 9, wherein noimpersonation of the second user profile by the first user profile isindicated by i) at least a portion of the elements in the first userprofile information being determined to have at least a threshold levelof similarity to at least a portion of the corresponding elements in thesecond user profile information, and ii) the at least a portion of theelements in the first user profile information having been added to thefirst user profile before the at least a portion of the correspondingelements in the second user profile information were added to the seconduser profile.
 12. The system of claim 8, wherein the impersonationanalysis component is further programmed to determine whether the firstuser profile is likely impersonating the second user profile furtherbased, at least in part, on whether the first user profile informationincludes particular content that i) mentions a user that is purported tobe associated with the first user profile or the second user profile ina negative manner, or ii) is of one or more predetermined types of badcontent.
 13. The system of claim 12, wherein the one or morepredetermined types of bad content are selected from the groupconsisting of: obscene content, offensive content, pornographic content,and illegal content.
 14. The system of claim 8, wherein the elements inthe first user profile information are selected from the groupconsisting of: fields of the first user profile, sensitive fields of thefirst user profile, photos, identities of other users who are designatedas friends, group memberships, a user age or birthdate, social networkactivity of a user associated with the first user profile, and servicesassociated with the first user profile.
 15. A computer program productembodied in a computer-readable storage device storing instructionsthat, when executed, cause one or more processors to perform operationscomprising: receiving an indication that identifies a first user profileas allegedly impersonating a second user profile; retrieving firstprofile information associated with the first user profile and secondprofile information associated the second user profile; determiningsimilarities of elements in the first user profile information andcorresponding elements in the second user profile information; based atleast in part on the determined similarities of elements in the firstuser profile information and corresponding elements in the second userprofile information, determining whether the first user profile islikely impersonating the second user profile; and when it is determinedthat the first user profile is likely impersonating the second userprofile, returning a flag indicating that the first user profile islikely impersonating the second user profile.
 16. The computer programproduct of claim 15, wherein the operations further comprise:identifying one or more first times at which the elements in the firstuser profile information were added to the first user profile, and oneor more second times at which the corresponding elements in the secondprofile information were added to the second user profile; comparing theone or more first times with the one or more second times; and whereinthe determination of whether the first user profile is likelyimpersonating the second user profile is further based, at least inpart, on the comparison of the one or more first times with the one ormore second times.
 17. The computer program product of claim 16, whereinimpersonation of the second user profile by the first user profile isindicated by i) at least a portion of the elements in the first userprofile information being determined to have at least a threshold levelof similarity to at least a portion of the corresponding elements in thesecond user profile information, and ii) the at least a portion of theelements in the first user profile information having been added to thefirst user profile after the at least a portion of the correspondingelements in the second user profile information were added to the seconduser profile.
 18. The computer program product of claim 16, wherein noimpersonation of the second user profile by the first user profile isindicated by i) at least a portion of the elements in the first userprofile information being determined to have at least a threshold levelof similarity to at least a portion of the corresponding elements in thesecond user profile information, and ii) the at least a portion of theelements in the first user profile information having been added to thefirst user profile before the at least a portion of the correspondingelements in the second user profile information were added to the seconduser profile.
 19. The computer program product of claim 15, wherein theoperations further comprise: determining whether the first user profileinformation includes particular content that i) mentions a user that ispurported to be associated with the first user profile or the seconduser profile in a negative manner, or ii) is of one or morepredetermined types of bad content; and wherein the determination ofwhether the first user profile is likely impersonating the second userprofile is further based, at least in part, on the determination ofwhether the first user profile information includes the particularcontent.
 20. The computer program product of claim 19, wherein the oneor more predetermined types of bad content are selected from the groupconsisting of: obscene content, offensive content, pornographic content,and illegal content.
 21. The computer program product of claim 15,wherein the elements in the first user profile information are selectedfrom the group consisting of: fields of the first user profile,sensitive fields of the first user profile, photos, identities of otherusers who are designated as friends, group memberships, a user age orbirthdate, social network activity of a user associated with the firstuser profile, and services associated with the first user profile.